aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--security/selinux/hooks.c495
1 files changed, 245 insertions, 250 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c507f67e2ba7..1bf2543ea942 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4,22 +4,22 @@
4 * This file contains the SELinux hook function implementations. 4 * This file contains the SELinux hook function implementations.
5 * 5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com> 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com> 9 * James Morris <jmorris@redhat.com>
10 * 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com> 14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com> 16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp> 18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 * 19 *
20 * This program is free software; you can redistribute it and/or modify 20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2, 21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation. 22 * as published by the Free Software Foundation.
23 */ 23 */
24 24
25#include <linux/init.h> 25#include <linux/init.h>
@@ -99,11 +99,11 @@ extern struct security_operations *security_ops;
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 100
101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102int selinux_enforcing = 0; 102int selinux_enforcing;
103 103
104static int __init enforcing_setup(char *str) 104static int __init enforcing_setup(char *str)
105{ 105{
106 selinux_enforcing = simple_strtol(str,NULL,0); 106 selinux_enforcing = simple_strtol(str, NULL, 0);
107 return 1; 107 return 1;
108} 108}
109__setup("enforcing=", enforcing_setup); 109__setup("enforcing=", enforcing_setup);
@@ -123,13 +123,13 @@ int selinux_enabled = 1;
123#endif 123#endif
124 124
125/* Original (dummy) security module. */ 125/* Original (dummy) security module. */
126static struct security_operations *original_ops = NULL; 126static struct security_operations *original_ops;
127 127
128/* Minimal support for a secondary security module, 128/* Minimal support for a secondary security module,
129 just to allow the use of the dummy or capability modules. 129 just to allow the use of the dummy or capability modules.
130 The owlsm module can alternatively be used as a secondary 130 The owlsm module can alternatively be used as a secondary
131 module as long as CONFIG_OWLSM_FD is not enabled. */ 131 module as long as CONFIG_OWLSM_FD is not enabled. */
132static struct security_operations *secondary_ops = NULL; 132static struct security_operations *secondary_ops;
133 133
134/* Lists of inode and superblock security structures initialized 134/* Lists of inode and superblock security structures initialized
135 before the policy was loaded. */ 135 before the policy was loaded. */
@@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de,
1054 int buflen, rc; 1054 int buflen, rc;
1055 char *buffer, *path, *end; 1055 char *buffer, *path, *end;
1056 1056
1057 buffer = (char*)__get_free_page(GFP_KERNEL); 1057 buffer = (char *)__get_free_page(GFP_KERNEL);
1058 if (!buffer) 1058 if (!buffer)
1059 return -ENOMEM; 1059 return -ENOMEM;
1060 1060
@@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk,
1305 1305
1306 tsec = tsk->security; 1306 tsec = tsk->security;
1307 1307
1308 AVC_AUDIT_DATA_INIT(&ad,CAP); 1308 AVC_AUDIT_DATA_INIT(&ad, CAP);
1309 ad.tsk = tsk; 1309 ad.tsk = tsk;
1310 ad.u.cap = cap; 1310 ad.u.cap = cap;
1311 1311
@@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk,
1348 struct inode_security_struct *isec; 1348 struct inode_security_struct *isec;
1349 struct avc_audit_data ad; 1349 struct avc_audit_data ad;
1350 1350
1351 if (unlikely (IS_PRIVATE (inode))) 1351 if (unlikely(IS_PRIVATE(inode)))
1352 return 0; 1352 return 0;
1353 1353
1354 tsec = tsk->security; 1354 tsec = tsk->security;
@@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk,
1373{ 1373{
1374 struct inode *inode = dentry->d_inode; 1374 struct inode *inode = dentry->d_inode;
1375 struct avc_audit_data ad; 1375 struct avc_audit_data ad;
1376 AVC_AUDIT_DATA_INIT(&ad,FS); 1376 AVC_AUDIT_DATA_INIT(&ad, FS);
1377 ad.u.fs.path.mnt = mnt; 1377 ad.u.fs.path.mnt = mnt;
1378 ad.u.fs.path.dentry = dentry; 1378 ad.u.fs.path.dentry = dentry;
1379 return inode_has_perm(tsk, inode, av, &ad); 1379 return inode_has_perm(tsk, inode, av, &ad);
@@ -1470,9 +1470,9 @@ static int may_create_key(u32 ksid,
1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471} 1471}
1472 1472
1473#define MAY_LINK 0 1473#define MAY_LINK 0
1474#define MAY_UNLINK 1 1474#define MAY_UNLINK 1
1475#define MAY_RMDIR 2 1475#define MAY_RMDIR 2
1476 1476
1477/* Check whether a task can link, unlink, or rmdir a file/directory. */ 1477/* Check whether a task can link, unlink, or rmdir a file/directory. */
1478static int may_link(struct inode *dir, 1478static int may_link(struct inode *dir,
@@ -1676,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1676{ 1676{
1677 int rc; 1677 int rc;
1678 1678
1679 rc = secondary_ops->ptrace(parent,child); 1679 rc = secondary_ops->ptrace(parent, child);
1680 if (rc) 1680 if (rc)
1681 return rc; 1681 return rc;
1682 1682
@@ -1684,7 +1684,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1684} 1684}
1685 1685
1686static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1686static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1687 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1687 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1688{ 1688{
1689 int error; 1689 int error;
1690 1690
@@ -1696,7 +1696,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1696} 1696}
1697 1697
1698static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1698static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1699 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1699 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1700{ 1700{
1701 int error; 1701 int error;
1702 1702
@@ -1708,7 +1708,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect
1708} 1708}
1709 1709
1710static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1710static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1711 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1711 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1712{ 1712{
1713 secondary_ops->capset_set(target, effective, inheritable, permitted); 1713 secondary_ops->capset_set(target, effective, inheritable, permitted);
1714} 1714}
@@ -1721,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap)
1721 if (rc) 1721 if (rc)
1722 return rc; 1722 return rc;
1723 1723
1724 return task_has_capability(tsk,cap); 1724 return task_has_capability(tsk, cap);
1725} 1725}
1726 1726
1727static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1727static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -1730,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1730 char *buffer, *path, *end; 1730 char *buffer, *path, *end;
1731 1731
1732 rc = -ENOMEM; 1732 rc = -ENOMEM;
1733 buffer = (char*)__get_free_page(GFP_KERNEL); 1733 buffer = (char *)__get_free_page(GFP_KERNEL);
1734 if (!buffer) 1734 if (!buffer)
1735 goto out; 1735 goto out;
1736 1736
@@ -1788,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1788 1788
1789 /* The op values are "defined" in sysctl.c, thereby creating 1789 /* The op values are "defined" in sysctl.c, thereby creating
1790 * a bad coupling between this module and sysctl.c */ 1790 * a bad coupling between this module and sysctl.c */
1791 if(op == 001) { 1791 if (op == 001) {
1792 error = avc_has_perm(tsec->sid, tsid, 1792 error = avc_has_perm(tsec->sid, tsid,
1793 SECCLASS_DIR, DIR__SEARCH, NULL); 1793 SECCLASS_DIR, DIR__SEARCH, NULL);
1794 } else { 1794 } else {
@@ -1800,7 +1800,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1800 if (av) 1800 if (av)
1801 error = avc_has_perm(tsec->sid, tsid, 1801 error = avc_has_perm(tsec->sid, tsid,
1802 SECCLASS_FILE, av, NULL); 1802 SECCLASS_FILE, av, NULL);
1803 } 1803 }
1804 1804
1805 return error; 1805 return error;
1806} 1806}
@@ -1813,25 +1813,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1813 return 0; 1813 return 0;
1814 1814
1815 switch (cmds) { 1815 switch (cmds) {
1816 case Q_SYNC: 1816 case Q_SYNC:
1817 case Q_QUOTAON: 1817 case Q_QUOTAON:
1818 case Q_QUOTAOFF: 1818 case Q_QUOTAOFF:
1819 case Q_SETINFO: 1819 case Q_SETINFO:
1820 case Q_SETQUOTA: 1820 case Q_SETQUOTA:
1821 rc = superblock_has_perm(current, 1821 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1822 sb, 1822 NULL);
1823 FILESYSTEM__QUOTAMOD, NULL); 1823 break;
1824 break; 1824 case Q_GETFMT:
1825 case Q_GETFMT: 1825 case Q_GETINFO:
1826 case Q_GETINFO: 1826 case Q_GETQUOTA:
1827 case Q_GETQUOTA: 1827 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1828 rc = superblock_has_perm(current, 1828 NULL);
1829 sb, 1829 break;
1830 FILESYSTEM__QUOTAGET, NULL); 1830 default:
1831 break; 1831 rc = 0; /* let the kernel handle invalid cmds */
1832 default: 1832 break;
1833 rc = 0; /* let the kernel handle invalid cmds */
1834 break;
1835 } 1833 }
1836 return rc; 1834 return rc;
1837} 1835}
@@ -1850,23 +1848,23 @@ static int selinux_syslog(int type)
1850 return rc; 1848 return rc;
1851 1849
1852 switch (type) { 1850 switch (type) {
1853 case 3: /* Read last kernel messages */ 1851 case 3: /* Read last kernel messages */
1854 case 10: /* Return size of the log buffer */ 1852 case 10: /* Return size of the log buffer */
1855 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1853 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1856 break; 1854 break;
1857 case 6: /* Disable logging to console */ 1855 case 6: /* Disable logging to console */
1858 case 7: /* Enable logging to console */ 1856 case 7: /* Enable logging to console */
1859 case 8: /* Set level of messages printed to console */ 1857 case 8: /* Set level of messages printed to console */
1860 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1858 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1861 break; 1859 break;
1862 case 0: /* Close log */ 1860 case 0: /* Close log */
1863 case 1: /* Open log */ 1861 case 1: /* Open log */
1864 case 2: /* Read from log */ 1862 case 2: /* Read from log */
1865 case 4: /* Read/clear last kernel messages */ 1863 case 4: /* Read/clear last kernel messages */
1866 case 5: /* Clear ring buffer */ 1864 case 5: /* Clear ring buffer */
1867 default: 1865 default:
1868 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1866 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1869 break; 1867 break;
1870 } 1868 }
1871 return rc; 1869 return rc;
1872} 1870}
@@ -1972,7 +1970,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
1972 } else { 1970 } else {
1973 /* Check for a default transition on this program. */ 1971 /* Check for a default transition on this program. */
1974 rc = security_transition_sid(tsec->sid, isec->sid, 1972 rc = security_transition_sid(tsec->sid, isec->sid,
1975 SECCLASS_PROCESS, &newsid); 1973 SECCLASS_PROCESS, &newsid);
1976 if (rc) 1974 if (rc)
1977 return rc; 1975 return rc;
1978 } 1976 }
@@ -1983,7 +1981,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
1983 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 1981 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1984 newsid = tsec->sid; 1982 newsid = tsec->sid;
1985 1983
1986 if (tsec->sid == newsid) { 1984 if (tsec->sid == newsid) {
1987 rc = avc_has_perm(tsec->sid, isec->sid, 1985 rc = avc_has_perm(tsec->sid, isec->sid,
1988 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1986 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1989 if (rc) 1987 if (rc)
@@ -2011,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
2011 return 0; 2009 return 0;
2012} 2010}
2013 2011
2014static int selinux_bprm_check_security (struct linux_binprm *bprm) 2012static int selinux_bprm_check_security(struct linux_binprm *bprm)
2015{ 2013{
2016 return secondary_ops->bprm_check_security(bprm); 2014 return secondary_ops->bprm_check_security(bprm);
2017} 2015}
2018 2016
2019 2017
2020static int selinux_bprm_secureexec (struct linux_binprm *bprm) 2018static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2021{ 2019{
2022 struct task_security_struct *tsec = current->security; 2020 struct task_security_struct *tsec = current->security;
2023 int atsecure = 0; 2021 int atsecure = 0;
@@ -2044,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount;
2044extern struct dentry *selinux_null; 2042extern struct dentry *selinux_null;
2045 2043
2046/* Derived from fs/exec.c:flush_old_files. */ 2044/* Derived from fs/exec.c:flush_old_files. */
2047static inline void flush_unauthorized_files(struct files_struct * files) 2045static inline void flush_unauthorized_files(struct files_struct *files)
2048{ 2046{
2049 struct avc_audit_data ad; 2047 struct avc_audit_data ad;
2050 struct file *file, *devnull = NULL; 2048 struct file *file, *devnull = NULL;
@@ -2079,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
2079 2077
2080 /* Revalidate access to inherited open files. */ 2078 /* Revalidate access to inherited open files. */
2081 2079
2082 AVC_AUDIT_DATA_INIT(&ad,FS); 2080 AVC_AUDIT_DATA_INIT(&ad, FS);
2083 2081
2084 spin_lock(&files->file_lock); 2082 spin_lock(&files->file_lock);
2085 for (;;) { 2083 for (;;) {
@@ -2095,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
2095 if (!set) 2093 if (!set)
2096 continue; 2094 continue;
2097 spin_unlock(&files->file_lock); 2095 spin_unlock(&files->file_lock);
2098 for ( ; set ; i++,set >>= 1) { 2096 for ( ; set ; i++, set >>= 1) {
2099 if (set & 1) { 2097 if (set & 1) {
2100 file = fget(i); 2098 file = fget(i);
2101 if (!file) 2099 if (!file)
@@ -2252,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2252 for (i = 0; i < RLIM_NLIMITS; i++) { 2250 for (i = 0; i < RLIM_NLIMITS; i++) {
2253 rlim = current->signal->rlim + i; 2251 rlim = current->signal->rlim + i;
2254 initrlim = init_task.signal->rlim+i; 2252 initrlim = init_task.signal->rlim+i;
2255 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 2253 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2256 } 2254 }
2257 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 2255 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2258 /* 2256 /*
@@ -2307,16 +2305,15 @@ static inline void take_option(char **to, char *from, int *first, int len)
2307 *to += len; 2305 *to += len;
2308} 2306}
2309 2307
2310static inline void take_selinux_option(char **to, char *from, int *first, 2308static inline void take_selinux_option(char **to, char *from, int *first,
2311 int len) 2309 int len)
2312{ 2310{
2313 int current_size = 0; 2311 int current_size = 0;
2314 2312
2315 if (!*first) { 2313 if (!*first) {
2316 **to = '|'; 2314 **to = '|';
2317 *to += 1; 2315 *to += 1;
2318 } 2316 } else
2319 else
2320 *first = 0; 2317 *first = 0;
2321 2318
2322 while (current_size < len) { 2319 while (current_size < len) {
@@ -2380,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2380 if (rc) 2377 if (rc)
2381 return rc; 2378 return rc;
2382 2379
2383 AVC_AUDIT_DATA_INIT(&ad,FS); 2380 AVC_AUDIT_DATA_INIT(&ad, FS);
2384 ad.u.fs.path.dentry = sb->s_root; 2381 ad.u.fs.path.dentry = sb->s_root;
2385 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2382 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2386} 2383}
@@ -2389,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry)
2389{ 2386{
2390 struct avc_audit_data ad; 2387 struct avc_audit_data ad;
2391 2388
2392 AVC_AUDIT_DATA_INIT(&ad,FS); 2389 AVC_AUDIT_DATA_INIT(&ad, FS);
2393 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2390 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2394 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2391 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2395} 2392}
2396 2393
2397static int selinux_mount(char * dev_name, 2394static int selinux_mount(char *dev_name,
2398 struct nameidata *nd, 2395 struct nameidata *nd,
2399 char * type, 2396 char *type,
2400 unsigned long flags, 2397 unsigned long flags,
2401 void * data) 2398 void *data)
2402{ 2399{
2403 int rc; 2400 int rc;
2404 2401
@@ -2408,10 +2405,10 @@ static int selinux_mount(char * dev_name,
2408 2405
2409 if (flags & MS_REMOUNT) 2406 if (flags & MS_REMOUNT)
2410 return superblock_has_perm(current, nd->path.mnt->mnt_sb, 2407 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2411 FILESYSTEM__REMOUNT, NULL); 2408 FILESYSTEM__REMOUNT, NULL);
2412 else 2409 else
2413 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, 2410 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2414 FILE__MOUNTON); 2411 FILE__MOUNTON);
2415} 2412}
2416 2413
2417static int selinux_umount(struct vfsmount *mnt, int flags) 2414static int selinux_umount(struct vfsmount *mnt, int flags)
@@ -2422,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags)
2422 if (rc) 2419 if (rc)
2423 return rc; 2420 return rc;
2424 2421
2425 return superblock_has_perm(current,mnt->mnt_sb, 2422 return superblock_has_perm(current, mnt->mnt_sb,
2426 FILESYSTEM__UNMOUNT,NULL); 2423 FILESYSTEM__UNMOUNT, NULL);
2427} 2424}
2428 2425
2429/* inode security operations */ 2426/* inode security operations */
@@ -2509,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru
2509{ 2506{
2510 int rc; 2507 int rc;
2511 2508
2512 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2509 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2513 if (rc) 2510 if (rc)
2514 return rc; 2511 return rc;
2515 return may_link(dir, old_dentry, MAY_LINK); 2512 return may_link(dir, old_dentry, MAY_LINK);
@@ -2552,7 +2549,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
2552} 2549}
2553 2550
2554static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2551static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2555 struct inode *new_inode, struct dentry *new_dentry) 2552 struct inode *new_inode, struct dentry *new_dentry)
2556{ 2553{
2557 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2554 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2558} 2555}
@@ -2566,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
2566{ 2563{
2567 int rc; 2564 int rc;
2568 2565
2569 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2566 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2570 if (rc) 2567 if (rc)
2571 return rc; 2568 return rc;
2572 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2569 return dentry_has_perm(current, NULL, dentry, FILE__READ);
@@ -2652,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2652 if (!is_owner_or_cap(inode)) 2649 if (!is_owner_or_cap(inode))
2653 return -EPERM; 2650 return -EPERM;
2654 2651
2655 AVC_AUDIT_DATA_INIT(&ad,FS); 2652 AVC_AUDIT_DATA_INIT(&ad, FS);
2656 ad.u.fs.path.dentry = dentry; 2653 ad.u.fs.path.dentry = dentry;
2657 2654
2658 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2655 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
@@ -2670,7 +2667,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2670 return rc; 2667 return rc;
2671 2668
2672 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2669 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2673 isec->sclass); 2670 isec->sclass);
2674 if (rc) 2671 if (rc)
2675 return rc; 2672 return rc;
2676 2673
@@ -2682,7 +2679,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2682} 2679}
2683 2680
2684static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2681static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2685 void *value, size_t size, int flags) 2682 void *value, size_t size, int flags)
2686{ 2683{
2687 struct inode *inode = dentry->d_inode; 2684 struct inode *inode = dentry->d_inode;
2688 struct inode_security_struct *isec = inode->i_security; 2685 struct inode_security_struct *isec = inode->i_security;
@@ -2705,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2705 return; 2702 return;
2706} 2703}
2707 2704
2708static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2705static int selinux_inode_getxattr(struct dentry *dentry, char *name)
2709{ 2706{
2710 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2707 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2711} 2708}
2712 2709
2713static int selinux_inode_listxattr (struct dentry *dentry) 2710static int selinux_inode_listxattr(struct dentry *dentry)
2714{ 2711{
2715 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2712 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2716} 2713}
2717 2714
2718static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2715static int selinux_inode_removexattr(struct dentry *dentry, char *name)
2719{ 2716{
2720 if (strcmp(name, XATTR_NAME_SELINUX)) 2717 if (strcmp(name, XATTR_NAME_SELINUX))
2721 return selinux_inode_setotherxattr(dentry, name); 2718 return selinux_inode_setotherxattr(dentry, name);
@@ -2756,7 +2753,7 @@ out_nofree:
2756} 2753}
2757 2754
2758static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2755static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2759 const void *value, size_t size, int flags) 2756 const void *value, size_t size, int flags)
2760{ 2757{
2761 struct inode_security_struct *isec = inode->i_security; 2758 struct inode_security_struct *isec = inode->i_security;
2762 u32 newsid; 2759 u32 newsid;
@@ -2768,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2768 if (!value || !size) 2765 if (!value || !size)
2769 return -EACCES; 2766 return -EACCES;
2770 2767
2771 rc = security_context_to_sid((void*)value, size, &newsid); 2768 rc = security_context_to_sid((void *)value, size, &newsid);
2772 if (rc) 2769 if (rc)
2773 return rc; 2770 return rc;
2774 2771
@@ -2859,42 +2856,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2859 int error = 0; 2856 int error = 0;
2860 2857
2861 switch (cmd) { 2858 switch (cmd) {
2862 case FIONREAD: 2859 case FIONREAD:
2863 /* fall through */ 2860 /* fall through */
2864 case FIBMAP: 2861 case FIBMAP:
2865 /* fall through */ 2862 /* fall through */
2866 case FIGETBSZ: 2863 case FIGETBSZ:
2867 /* fall through */ 2864 /* fall through */
2868 case EXT2_IOC_GETFLAGS: 2865 case EXT2_IOC_GETFLAGS:
2869 /* fall through */ 2866 /* fall through */
2870 case EXT2_IOC_GETVERSION: 2867 case EXT2_IOC_GETVERSION:
2871 error = file_has_perm(current, file, FILE__GETATTR); 2868 error = file_has_perm(current, file, FILE__GETATTR);
2872 break; 2869 break;
2873
2874 case EXT2_IOC_SETFLAGS:
2875 /* fall through */
2876 case EXT2_IOC_SETVERSION:
2877 error = file_has_perm(current, file, FILE__SETATTR);
2878 break;
2879 2870
2880 /* sys_ioctl() checks */ 2871 case EXT2_IOC_SETFLAGS:
2881 case FIONBIO: 2872 /* fall through */
2882 /* fall through */ 2873 case EXT2_IOC_SETVERSION:
2883 case FIOASYNC: 2874 error = file_has_perm(current, file, FILE__SETATTR);
2884 error = file_has_perm(current, file, 0); 2875 break;
2885 break;
2886 2876
2887 case KDSKBENT: 2877 /* sys_ioctl() checks */
2888 case KDSKBSENT: 2878 case FIONBIO:
2889 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2879 /* fall through */
2890 break; 2880 case FIOASYNC:
2881 error = file_has_perm(current, file, 0);
2882 break;
2891 2883
2892 /* default case assumes that the command will go 2884 case KDSKBENT:
2893 * to the file's ioctl() function. 2885 case KDSKBSENT:
2894 */ 2886 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2895 default: 2887 break;
2896 error = file_has_perm(current, file, FILE__IOCTL);
2897 2888
2889 /* default case assumes that the command will go
2890 * to the file's ioctl() function.
2891 */
2892 default:
2893 error = file_has_perm(current, file, FILE__IOCTL);
2898 } 2894 }
2899 return error; 2895 return error;
2900} 2896}
@@ -2935,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2935 unsigned long addr, unsigned long addr_only) 2931 unsigned long addr, unsigned long addr_only)
2936{ 2932{
2937 int rc = 0; 2933 int rc = 0;
2938 u32 sid = ((struct task_security_struct*)(current->security))->sid; 2934 u32 sid = ((struct task_security_struct *)(current->security))->sid;
2939 2935
2940 if (addr < mmap_min_addr) 2936 if (addr < mmap_min_addr)
2941 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 2937 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
@@ -3004,39 +3000,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3004 int err = 0; 3000 int err = 0;
3005 3001
3006 switch (cmd) { 3002 switch (cmd) {
3007 case F_SETFL: 3003 case F_SETFL:
3008 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3004 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3009 err = -EINVAL; 3005 err = -EINVAL;
3010 break; 3006 break;
3011 } 3007 }
3012 3008
3013 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3009 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3014 err = file_has_perm(current, file,FILE__WRITE); 3010 err = file_has_perm(current, file, FILE__WRITE);
3015 break;
3016 }
3017 /* fall through */
3018 case F_SETOWN:
3019 case F_SETSIG:
3020 case F_GETFL:
3021 case F_GETOWN:
3022 case F_GETSIG:
3023 /* Just check FD__USE permission */
3024 err = file_has_perm(current, file, 0);
3025 break; 3011 break;
3026 case F_GETLK: 3012 }
3027 case F_SETLK: 3013 /* fall through */
3028 case F_SETLKW: 3014 case F_SETOWN:
3015 case F_SETSIG:
3016 case F_GETFL:
3017 case F_GETOWN:
3018 case F_GETSIG:
3019 /* Just check FD__USE permission */
3020 err = file_has_perm(current, file, 0);
3021 break;
3022 case F_GETLK:
3023 case F_SETLK:
3024 case F_SETLKW:
3029#if BITS_PER_LONG == 32 3025#if BITS_PER_LONG == 32
3030 case F_GETLK64: 3026 case F_GETLK64:
3031 case F_SETLK64: 3027 case F_SETLK64:
3032 case F_SETLKW64: 3028 case F_SETLKW64:
3033#endif 3029#endif
3034 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3030 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3035 err = -EINVAL; 3031 err = -EINVAL;
3036 break;
3037 }
3038 err = file_has_perm(current, file, FILE__LOCK);
3039 break; 3032 break;
3033 }
3034 err = file_has_perm(current, file, FILE__LOCK);
3035 break;
3040 } 3036 }
3041 3037
3042 return err; 3038 return err;
@@ -3057,13 +3053,13 @@ static int selinux_file_set_fowner(struct file *file)
3057static int selinux_file_send_sigiotask(struct task_struct *tsk, 3053static int selinux_file_send_sigiotask(struct task_struct *tsk,
3058 struct fown_struct *fown, int signum) 3054 struct fown_struct *fown, int signum)
3059{ 3055{
3060 struct file *file; 3056 struct file *file;
3061 u32 perm; 3057 u32 perm;
3062 struct task_security_struct *tsec; 3058 struct task_security_struct *tsec;
3063 struct file_security_struct *fsec; 3059 struct file_security_struct *fsec;
3064 3060
3065 /* struct fown_struct is never outside the context of a struct file */ 3061 /* struct fown_struct is never outside the context of a struct file */
3066 file = container_of(fown, struct file, f_owner); 3062 file = container_of(fown, struct file, f_owner);
3067 3063
3068 tsec = tsk->security; 3064 tsec = tsk->security;
3069 fsec = file->f_security; 3065 fsec = file->f_security;
@@ -3165,7 +3161,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3165 3161
3166static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3162static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3167{ 3163{
3168 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 3164 return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3169} 3165}
3170 3166
3171static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3167static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
@@ -3209,7 +3205,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
3209 if (rc) 3205 if (rc)
3210 return rc; 3206 return rc;
3211 3207
3212 return task_has_perm(current,p, PROCESS__SETSCHED); 3208 return task_has_perm(current, p, PROCESS__SETSCHED);
3213} 3209}
3214 3210
3215static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3211static int selinux_task_setioprio(struct task_struct *p, int ioprio)
@@ -3313,7 +3309,7 @@ static int selinux_task_wait(struct task_struct *p)
3313 3309
3314static void selinux_task_reparent_to_init(struct task_struct *p) 3310static void selinux_task_reparent_to_init(struct task_struct *p)
3315{ 3311{
3316 struct task_security_struct *tsec; 3312 struct task_security_struct *tsec;
3317 3313
3318 secondary_ops->task_reparent_to_init(p); 3314 secondary_ops->task_reparent_to_init(p);
3319 3315
@@ -3358,11 +3354,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3358 *proto = ih->protocol; 3354 *proto = ih->protocol;
3359 3355
3360 switch (ih->protocol) { 3356 switch (ih->protocol) {
3361 case IPPROTO_TCP: { 3357 case IPPROTO_TCP: {
3362 struct tcphdr _tcph, *th; 3358 struct tcphdr _tcph, *th;
3363 3359
3364 if (ntohs(ih->frag_off) & IP_OFFSET) 3360 if (ntohs(ih->frag_off) & IP_OFFSET)
3365 break; 3361 break;
3366 3362
3367 offset += ihlen; 3363 offset += ihlen;
3368 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3364 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
@@ -3372,23 +3368,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3372 ad->u.net.sport = th->source; 3368 ad->u.net.sport = th->source;
3373 ad->u.net.dport = th->dest; 3369 ad->u.net.dport = th->dest;
3374 break; 3370 break;
3375 } 3371 }
3376 3372
3377 case IPPROTO_UDP: { 3373 case IPPROTO_UDP: {
3378 struct udphdr _udph, *uh; 3374 struct udphdr _udph, *uh;
3379 3375
3380 if (ntohs(ih->frag_off) & IP_OFFSET) 3376 if (ntohs(ih->frag_off) & IP_OFFSET)
3381 break; 3377 break;
3382 3378
3383 offset += ihlen; 3379 offset += ihlen;
3384 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3380 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3385 if (uh == NULL) 3381 if (uh == NULL)
3386 break; 3382 break;
3387 3383
3388 ad->u.net.sport = uh->source; 3384 ad->u.net.sport = uh->source;
3389 ad->u.net.dport = uh->dest; 3385 ad->u.net.dport = uh->dest;
3390 break; 3386 break;
3391 } 3387 }
3392 3388
3393 case IPPROTO_DCCP: { 3389 case IPPROTO_DCCP: {
3394 struct dccp_hdr _dccph, *dh; 3390 struct dccp_hdr _dccph, *dh;
@@ -3404,11 +3400,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3404 ad->u.net.sport = dh->dccph_sport; 3400 ad->u.net.sport = dh->dccph_sport;
3405 ad->u.net.dport = dh->dccph_dport; 3401 ad->u.net.dport = dh->dccph_dport;
3406 break; 3402 break;
3407 } 3403 }
3408 3404
3409 default: 3405 default:
3410 break; 3406 break;
3411 } 3407 }
3412out: 3408out:
3413 return ret; 3409 return ret;
3414} 3410}
@@ -3443,7 +3439,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3443 3439
3444 switch (nexthdr) { 3440 switch (nexthdr) {
3445 case IPPROTO_TCP: { 3441 case IPPROTO_TCP: {
3446 struct tcphdr _tcph, *th; 3442 struct tcphdr _tcph, *th;
3447 3443
3448 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3444 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3449 if (th == NULL) 3445 if (th == NULL)
@@ -3476,7 +3472,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3476 ad->u.net.sport = dh->dccph_sport; 3472 ad->u.net.sport = dh->dccph_sport;
3477 ad->u.net.dport = dh->dccph_dport; 3473 ad->u.net.dport = dh->dccph_dport;
3478 break; 3474 break;
3479 } 3475 }
3480 3476
3481 /* includes fragments */ 3477 /* includes fragments */
3482 default: 3478 default:
@@ -3574,7 +3570,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3574 if (isec->sid == SECINITSID_KERNEL) 3570 if (isec->sid == SECINITSID_KERNEL)
3575 goto out; 3571 goto out;
3576 3572
3577 AVC_AUDIT_DATA_INIT(&ad,NET); 3573 AVC_AUDIT_DATA_INIT(&ad, NET);
3578 ad.u.net.sk = sock->sk; 3574 ad.u.net.sk = sock->sk;
3579 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3575 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3580 3576
@@ -3684,7 +3680,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3684 snum, &sid); 3680 snum, &sid);
3685 if (err) 3681 if (err)
3686 goto out; 3682 goto out;
3687 AVC_AUDIT_DATA_INIT(&ad,NET); 3683 AVC_AUDIT_DATA_INIT(&ad, NET);
3688 ad.u.net.sport = htons(snum); 3684 ad.u.net.sport = htons(snum);
3689 ad.u.net.family = family; 3685 ad.u.net.family = family;
3690 err = avc_has_perm(isec->sid, sid, 3686 err = avc_has_perm(isec->sid, sid,
@@ -3694,12 +3690,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3694 goto out; 3690 goto out;
3695 } 3691 }
3696 } 3692 }
3697 3693
3698 switch(isec->sclass) { 3694 switch (isec->sclass) {
3699 case SECCLASS_TCP_SOCKET: 3695 case SECCLASS_TCP_SOCKET:
3700 node_perm = TCP_SOCKET__NODE_BIND; 3696 node_perm = TCP_SOCKET__NODE_BIND;
3701 break; 3697 break;
3702 3698
3703 case SECCLASS_UDP_SOCKET: 3699 case SECCLASS_UDP_SOCKET:
3704 node_perm = UDP_SOCKET__NODE_BIND; 3700 node_perm = UDP_SOCKET__NODE_BIND;
3705 break; 3701 break;
@@ -3712,12 +3708,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3712 node_perm = RAWIP_SOCKET__NODE_BIND; 3708 node_perm = RAWIP_SOCKET__NODE_BIND;
3713 break; 3709 break;
3714 } 3710 }
3715 3711
3716 err = sel_netnode_sid(addrp, family, &sid); 3712 err = sel_netnode_sid(addrp, family, &sid);
3717 if (err) 3713 if (err)
3718 goto out; 3714 goto out;
3719 3715
3720 AVC_AUDIT_DATA_INIT(&ad,NET); 3716 AVC_AUDIT_DATA_INIT(&ad, NET);
3721 ad.u.net.sport = htons(snum); 3717 ad.u.net.sport = htons(snum);
3722 ad.u.net.family = family; 3718 ad.u.net.family = family;
3723 3719
@@ -3727,7 +3723,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3727 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3723 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3728 3724
3729 err = avc_has_perm(isec->sid, sid, 3725 err = avc_has_perm(isec->sid, sid,
3730 isec->sclass, node_perm, &ad); 3726 isec->sclass, node_perm, &ad);
3731 if (err) 3727 if (err)
3732 goto out; 3728 goto out;
3733 } 3729 }
@@ -3776,7 +3772,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3776 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3772 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3777 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3773 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3778 3774
3779 AVC_AUDIT_DATA_INIT(&ad,NET); 3775 AVC_AUDIT_DATA_INIT(&ad, NET);
3780 ad.u.net.dport = htons(snum); 3776 ad.u.net.dport = htons(snum);
3781 ad.u.net.family = sk->sk_family; 3777 ad.u.net.family = sk->sk_family;
3782 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3778 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
@@ -3814,7 +3810,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3814} 3810}
3815 3811
3816static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3812static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3817 int size) 3813 int size)
3818{ 3814{
3819 int rc; 3815 int rc;
3820 3816
@@ -3841,7 +3837,7 @@ static int selinux_socket_getpeername(struct socket *sock)
3841 return socket_has_perm(current, sock, SOCKET__GETATTR); 3837 return socket_has_perm(current, sock, SOCKET__GETATTR);
3842} 3838}
3843 3839
3844static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3840static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3845{ 3841{
3846 int err; 3842 int err;
3847 3843
@@ -3880,7 +3876,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
3880 isec = SOCK_INODE(sock)->i_security; 3876 isec = SOCK_INODE(sock)->i_security;
3881 other_isec = SOCK_INODE(other)->i_security; 3877 other_isec = SOCK_INODE(other)->i_security;
3882 3878
3883 AVC_AUDIT_DATA_INIT(&ad,NET); 3879 AVC_AUDIT_DATA_INIT(&ad, NET);
3884 ad.u.net.sk = other->sk; 3880 ad.u.net.sk = other->sk;
3885 3881
3886 err = avc_has_perm(isec->sid, other_isec->sid, 3882 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -3892,7 +3888,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
3892 /* connecting socket */ 3888 /* connecting socket */
3893 ssec = sock->sk->sk_security; 3889 ssec = sock->sk->sk_security;
3894 ssec->peer_sid = other_isec->sid; 3890 ssec->peer_sid = other_isec->sid;
3895 3891
3896 /* server child socket */ 3892 /* server child socket */
3897 ssec = newsk->sk_security; 3893 ssec = newsk->sk_security;
3898 ssec->peer_sid = isec->sid; 3894 ssec->peer_sid = isec->sid;
@@ -3912,7 +3908,7 @@ static int selinux_socket_unix_may_send(struct socket *sock,
3912 isec = SOCK_INODE(sock)->i_security; 3908 isec = SOCK_INODE(sock)->i_security;
3913 other_isec = SOCK_INODE(other)->i_security; 3909 other_isec = SOCK_INODE(other)->i_security;
3914 3910
3915 AVC_AUDIT_DATA_INIT(&ad,NET); 3911 AVC_AUDIT_DATA_INIT(&ad, NET);
3916 ad.u.net.sk = other->sk; 3912 ad.u.net.sk = other->sk;
3917 3913
3918 err = avc_has_perm(isec->sid, other_isec->sid, 3914 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -3990,7 +3986,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3990 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3986 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3991 if (err) 3987 if (err)
3992 return err; 3988 return err;
3993 3989
3994 err = sel_netnode_sid(addrp, family, &node_sid); 3990 err = sel_netnode_sid(addrp, family, &node_sid);
3995 if (err) 3991 if (err)
3996 return err; 3992 return err;
@@ -4141,7 +4137,7 @@ out_len:
4141 err = -EFAULT; 4137 err = -EFAULT;
4142 4138
4143 kfree(scontext); 4139 kfree(scontext);
4144out: 4140out:
4145 return err; 4141 return err;
4146} 4142}
4147 4143
@@ -4202,7 +4198,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4202 } 4198 }
4203} 4199}
4204 4200
4205static void selinux_sock_graft(struct sock* sk, struct socket *parent) 4201static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4206{ 4202{
4207 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4203 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4208 struct sk_security_struct *sksec = sk->sk_security; 4204 struct sk_security_struct *sksec = sk->sk_security;
@@ -4279,13 +4275,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4279 struct nlmsghdr *nlh; 4275 struct nlmsghdr *nlh;
4280 struct socket *sock = sk->sk_socket; 4276 struct socket *sock = sk->sk_socket;
4281 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4277 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4282 4278
4283 if (skb->len < NLMSG_SPACE(0)) { 4279 if (skb->len < NLMSG_SPACE(0)) {
4284 err = -EINVAL; 4280 err = -EINVAL;
4285 goto out; 4281 goto out;
4286 } 4282 }
4287 nlh = nlmsg_hdr(skb); 4283 nlh = nlmsg_hdr(skb);
4288 4284
4289 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 4285 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4290 if (err) { 4286 if (err) {
4291 if (err == -EINVAL) { 4287 if (err == -EINVAL) {
@@ -4411,7 +4407,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4411 return err; 4407 return err;
4412 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4408 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4413 return err; 4409 return err;
4414 4410
4415 err = sel_netnode_sid(addrp, family, &node_sid); 4411 err = sel_netnode_sid(addrp, family, &node_sid);
4416 if (err) 4412 if (err)
4417 return err; 4413 return err;
@@ -4594,7 +4590,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4594 ad.u.cap = capability; 4590 ad.u.cap = capability;
4595 4591
4596 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4592 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4597 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4593 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4598} 4594}
4599 4595
4600static int ipc_alloc_security(struct task_struct *task, 4596static int ipc_alloc_security(struct task_struct *task,
@@ -4686,7 +4682,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4686 isec = msq->q_perm.security; 4682 isec = msq->q_perm.security;
4687 4683
4688 AVC_AUDIT_DATA_INIT(&ad, IPC); 4684 AVC_AUDIT_DATA_INIT(&ad, IPC);
4689 ad.u.ipc_id = msq->q_perm.key; 4685 ad.u.ipc_id = msq->q_perm.key;
4690 4686
4691 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4687 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4692 MSGQ__CREATE, &ad); 4688 MSGQ__CREATE, &ad);
@@ -4723,7 +4719,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4723 int err; 4719 int err;
4724 int perms; 4720 int perms;
4725 4721
4726 switch(cmd) { 4722 switch (cmd) {
4727 case IPC_INFO: 4723 case IPC_INFO:
4728 case MSG_INFO: 4724 case MSG_INFO:
4729 /* No specific object, just general system-wide information. */ 4725 /* No specific object, just general system-wide information. */
@@ -4807,7 +4803,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4807 msec = msg->security; 4803 msec = msg->security;
4808 4804
4809 AVC_AUDIT_DATA_INIT(&ad, IPC); 4805 AVC_AUDIT_DATA_INIT(&ad, IPC);
4810 ad.u.ipc_id = msq->q_perm.key; 4806 ad.u.ipc_id = msq->q_perm.key;
4811 4807
4812 rc = avc_has_perm(tsec->sid, isec->sid, 4808 rc = avc_has_perm(tsec->sid, isec->sid,
4813 SECCLASS_MSGQ, MSGQ__READ, &ad); 4809 SECCLASS_MSGQ, MSGQ__READ, &ad);
@@ -4833,7 +4829,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4833 isec = shp->shm_perm.security; 4829 isec = shp->shm_perm.security;
4834 4830
4835 AVC_AUDIT_DATA_INIT(&ad, IPC); 4831 AVC_AUDIT_DATA_INIT(&ad, IPC);
4836 ad.u.ipc_id = shp->shm_perm.key; 4832 ad.u.ipc_id = shp->shm_perm.key;
4837 4833
4838 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4834 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4839 SHM__CREATE, &ad); 4835 SHM__CREATE, &ad);
@@ -4871,7 +4867,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4871 int perms; 4867 int perms;
4872 int err; 4868 int err;
4873 4869
4874 switch(cmd) { 4870 switch (cmd) {
4875 case IPC_INFO: 4871 case IPC_INFO:
4876 case SHM_INFO: 4872 case SHM_INFO:
4877 /* No specific object, just general system-wide information. */ 4873 /* No specific object, just general system-wide information. */
@@ -4932,7 +4928,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
4932 isec = sma->sem_perm.security; 4928 isec = sma->sem_perm.security;
4933 4929
4934 AVC_AUDIT_DATA_INIT(&ad, IPC); 4930 AVC_AUDIT_DATA_INIT(&ad, IPC);
4935 ad.u.ipc_id = sma->sem_perm.key; 4931 ad.u.ipc_id = sma->sem_perm.key;
4936 4932
4937 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4933 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4938 SEM__CREATE, &ad); 4934 SEM__CREATE, &ad);
@@ -4970,7 +4966,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4970 int err; 4966 int err;
4971 u32 perms; 4967 u32 perms;
4972 4968
4973 switch(cmd) { 4969 switch (cmd) {
4974 case IPC_INFO: 4970 case IPC_INFO:
4975 case SEM_INFO: 4971 case SEM_INFO:
4976 /* No specific object, just general system-wide information. */ 4972 /* No specific object, just general system-wide information. */
@@ -5042,13 +5038,13 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5042} 5038}
5043 5039
5044/* module stacking operations */ 5040/* module stacking operations */
5045static int selinux_register_security (const char *name, struct security_operations *ops) 5041static int selinux_register_security(const char *name, struct security_operations *ops)
5046{ 5042{
5047 if (secondary_ops != original_ops) { 5043 if (secondary_ops != original_ops) {
5048 printk(KERN_ERR "%s: There is already a secondary security " 5044 printk(KERN_ERR "%s: There is already a secondary security "
5049 "module registered.\n", __func__); 5045 "module registered.\n", __func__);
5050 return -EINVAL; 5046 return -EINVAL;
5051 } 5047 }
5052 5048
5053 secondary_ops = ops; 5049 secondary_ops = ops;
5054 5050
@@ -5059,7 +5055,7 @@ static int selinux_register_security (const char *name, struct security_operatio
5059 return 0; 5055 return 0;
5060} 5056}
5061 5057
5062static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 5058static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5063{ 5059{
5064 if (inode) 5060 if (inode)
5065 inode_doinit_with_dentry(inode, dentry); 5061 inode_doinit_with_dentry(inode, dentry);
@@ -5187,11 +5183,11 @@ static int selinux_setprocattr(struct task_struct *p,
5187 } 5183 }
5188 while_each_thread(g, t); 5184 while_each_thread(g, t);
5189 read_unlock(&tasklist_lock); 5185 read_unlock(&tasklist_lock);
5190 } 5186 }
5191 5187
5192 /* Check permissions for the transition. */ 5188 /* Check permissions for the transition. */
5193 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5189 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5194 PROCESS__DYNTRANSITION, NULL); 5190 PROCESS__DYNTRANSITION, NULL);
5195 if (error) 5191 if (error)
5196 return error; 5192 return error;
5197 5193
@@ -5219,8 +5215,7 @@ static int selinux_setprocattr(struct task_struct *p,
5219 tsec->sid = sid; 5215 tsec->sid = sid;
5220 task_unlock(p); 5216 task_unlock(p);
5221 } 5217 }
5222 } 5218 } else
5223 else
5224 return -EINVAL; 5219 return -EINVAL;
5225 5220
5226 return size; 5221 return size;
@@ -5310,7 +5305,7 @@ static struct security_operations selinux_ops = {
5310 .vm_enough_memory = selinux_vm_enough_memory, 5305 .vm_enough_memory = selinux_vm_enough_memory,
5311 5306
5312 .netlink_send = selinux_netlink_send, 5307 .netlink_send = selinux_netlink_send,
5313 .netlink_recv = selinux_netlink_recv, 5308 .netlink_recv = selinux_netlink_recv,
5314 5309
5315 .bprm_alloc_security = selinux_bprm_alloc_security, 5310 .bprm_alloc_security = selinux_bprm_alloc_security,
5316 .bprm_free_security = selinux_bprm_free_security, 5311 .bprm_free_security = selinux_bprm_free_security,
@@ -5323,13 +5318,13 @@ static struct security_operations selinux_ops = {
5323 .sb_alloc_security = selinux_sb_alloc_security, 5318 .sb_alloc_security = selinux_sb_alloc_security,
5324 .sb_free_security = selinux_sb_free_security, 5319 .sb_free_security = selinux_sb_free_security,
5325 .sb_copy_data = selinux_sb_copy_data, 5320 .sb_copy_data = selinux_sb_copy_data,
5326 .sb_kern_mount = selinux_sb_kern_mount, 5321 .sb_kern_mount = selinux_sb_kern_mount,
5327 .sb_statfs = selinux_sb_statfs, 5322 .sb_statfs = selinux_sb_statfs,
5328 .sb_mount = selinux_mount, 5323 .sb_mount = selinux_mount,
5329 .sb_umount = selinux_umount, 5324 .sb_umount = selinux_umount,
5330 .sb_get_mnt_opts = selinux_get_mnt_opts, 5325 .sb_get_mnt_opts = selinux_get_mnt_opts,
5331 .sb_set_mnt_opts = selinux_set_mnt_opts, 5326 .sb_set_mnt_opts = selinux_set_mnt_opts,
5332 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5327 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5333 .sb_parse_opts_str = selinux_parse_opts_str, 5328 .sb_parse_opts_str = selinux_parse_opts_str,
5334 5329
5335 5330
@@ -5354,9 +5349,9 @@ static struct security_operations selinux_ops = {
5354 .inode_getxattr = selinux_inode_getxattr, 5349 .inode_getxattr = selinux_inode_getxattr,
5355 .inode_listxattr = selinux_inode_listxattr, 5350 .inode_listxattr = selinux_inode_listxattr,
5356 .inode_removexattr = selinux_inode_removexattr, 5351 .inode_removexattr = selinux_inode_removexattr,
5357 .inode_getsecurity = selinux_inode_getsecurity, 5352 .inode_getsecurity = selinux_inode_getsecurity,
5358 .inode_setsecurity = selinux_inode_setsecurity, 5353 .inode_setsecurity = selinux_inode_setsecurity,
5359 .inode_listsecurity = selinux_inode_listsecurity, 5354 .inode_listsecurity = selinux_inode_listsecurity,
5360 .inode_need_killpriv = selinux_inode_need_killpriv, 5355 .inode_need_killpriv = selinux_inode_need_killpriv,
5361 .inode_killpriv = selinux_inode_killpriv, 5356 .inode_killpriv = selinux_inode_killpriv,
5362 .inode_getsecid = selinux_inode_getsecid, 5357 .inode_getsecid = selinux_inode_getsecid,
@@ -5373,7 +5368,7 @@ static struct security_operations selinux_ops = {
5373 .file_send_sigiotask = selinux_file_send_sigiotask, 5368 .file_send_sigiotask = selinux_file_send_sigiotask,
5374 .file_receive = selinux_file_receive, 5369 .file_receive = selinux_file_receive,
5375 5370
5376 .dentry_open = selinux_dentry_open, 5371 .dentry_open = selinux_dentry_open,
5377 5372
5378 .task_create = selinux_task_create, 5373 .task_create = selinux_task_create,
5379 .task_alloc_security = selinux_task_alloc_security, 5374 .task_alloc_security = selinux_task_alloc_security,
@@ -5383,7 +5378,7 @@ static struct security_operations selinux_ops = {
5383 .task_setgid = selinux_task_setgid, 5378 .task_setgid = selinux_task_setgid,
5384 .task_setpgid = selinux_task_setpgid, 5379 .task_setpgid = selinux_task_setpgid,
5385 .task_getpgid = selinux_task_getpgid, 5380 .task_getpgid = selinux_task_getpgid,
5386 .task_getsid = selinux_task_getsid, 5381 .task_getsid = selinux_task_getsid,
5387 .task_getsecid = selinux_task_getsecid, 5382 .task_getsecid = selinux_task_getsecid,
5388 .task_setgroups = selinux_task_setgroups, 5383 .task_setgroups = selinux_task_setgroups,
5389 .task_setnice = selinux_task_setnice, 5384 .task_setnice = selinux_task_setnice,
@@ -5397,7 +5392,7 @@ static struct security_operations selinux_ops = {
5397 .task_wait = selinux_task_wait, 5392 .task_wait = selinux_task_wait,
5398 .task_prctl = selinux_task_prctl, 5393 .task_prctl = selinux_task_prctl,
5399 .task_reparent_to_init = selinux_task_reparent_to_init, 5394 .task_reparent_to_init = selinux_task_reparent_to_init,
5400 .task_to_inode = selinux_task_to_inode, 5395 .task_to_inode = selinux_task_to_inode,
5401 5396
5402 .ipc_permission = selinux_ipc_permission, 5397 .ipc_permission = selinux_ipc_permission,
5403 .ipc_getsecid = selinux_ipc_getsecid, 5398 .ipc_getsecid = selinux_ipc_getsecid,
@@ -5418,24 +5413,24 @@ static struct security_operations selinux_ops = {
5418 .shm_shmctl = selinux_shm_shmctl, 5413 .shm_shmctl = selinux_shm_shmctl,
5419 .shm_shmat = selinux_shm_shmat, 5414 .shm_shmat = selinux_shm_shmat,
5420 5415
5421 .sem_alloc_security = selinux_sem_alloc_security, 5416 .sem_alloc_security = selinux_sem_alloc_security,
5422 .sem_free_security = selinux_sem_free_security, 5417 .sem_free_security = selinux_sem_free_security,
5423 .sem_associate = selinux_sem_associate, 5418 .sem_associate = selinux_sem_associate,
5424 .sem_semctl = selinux_sem_semctl, 5419 .sem_semctl = selinux_sem_semctl,
5425 .sem_semop = selinux_sem_semop, 5420 .sem_semop = selinux_sem_semop,
5426 5421
5427 .register_security = selinux_register_security, 5422 .register_security = selinux_register_security,
5428 5423
5429 .d_instantiate = selinux_d_instantiate, 5424 .d_instantiate = selinux_d_instantiate,
5430 5425
5431 .getprocattr = selinux_getprocattr, 5426 .getprocattr = selinux_getprocattr,
5432 .setprocattr = selinux_setprocattr, 5427 .setprocattr = selinux_setprocattr,
5433 5428
5434 .secid_to_secctx = selinux_secid_to_secctx, 5429 .secid_to_secctx = selinux_secid_to_secctx,
5435 .secctx_to_secid = selinux_secctx_to_secid, 5430 .secctx_to_secid = selinux_secctx_to_secid,
5436 .release_secctx = selinux_release_secctx, 5431 .release_secctx = selinux_release_secctx,
5437 5432
5438 .unix_stream_connect = selinux_socket_unix_stream_connect, 5433 .unix_stream_connect = selinux_socket_unix_stream_connect,
5439 .unix_may_send = selinux_socket_unix_may_send, 5434 .unix_may_send = selinux_socket_unix_may_send,
5440 5435
5441 .socket_create = selinux_socket_create, 5436 .socket_create = selinux_socket_create,
@@ -5457,7 +5452,7 @@ static struct security_operations selinux_ops = {
5457 .sk_alloc_security = selinux_sk_alloc_security, 5452 .sk_alloc_security = selinux_sk_alloc_security,
5458 .sk_free_security = selinux_sk_free_security, 5453 .sk_free_security = selinux_sk_free_security,
5459 .sk_clone_security = selinux_sk_clone_security, 5454 .sk_clone_security = selinux_sk_clone_security,
5460 .sk_getsecid = selinux_sk_getsecid, 5455 .sk_getsecid = selinux_sk_getsecid,
5461 .sock_graft = selinux_sock_graft, 5456 .sock_graft = selinux_sock_graft,
5462 .inet_conn_request = selinux_inet_conn_request, 5457 .inet_conn_request = selinux_inet_conn_request,
5463 .inet_csk_clone = selinux_inet_csk_clone, 5458 .inet_csk_clone = selinux_inet_csk_clone,
@@ -5472,15 +5467,15 @@ static struct security_operations selinux_ops = {
5472 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5467 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5473 .xfrm_state_free_security = selinux_xfrm_state_free, 5468 .xfrm_state_free_security = selinux_xfrm_state_free,
5474 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5469 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5475 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5470 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5476 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5471 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5477 .xfrm_decode_session = selinux_xfrm_decode_session, 5472 .xfrm_decode_session = selinux_xfrm_decode_session,
5478#endif 5473#endif
5479 5474
5480#ifdef CONFIG_KEYS 5475#ifdef CONFIG_KEYS
5481 .key_alloc = selinux_key_alloc, 5476 .key_alloc = selinux_key_alloc,
5482 .key_free = selinux_key_free, 5477 .key_free = selinux_key_free,
5483 .key_permission = selinux_key_permission, 5478 .key_permission = selinux_key_permission,
5484#endif 5479#endif
5485 5480
5486#ifdef CONFIG_AUDIT 5481#ifdef CONFIG_AUDIT
@@ -5520,15 +5515,14 @@ static __init int selinux_init(void)
5520 5515
5521 original_ops = secondary_ops = security_ops; 5516 original_ops = secondary_ops = security_ops;
5522 if (!secondary_ops) 5517 if (!secondary_ops)
5523 panic ("SELinux: No initial security operations\n"); 5518 panic("SELinux: No initial security operations\n");
5524 if (register_security (&selinux_ops)) 5519 if (register_security(&selinux_ops))
5525 panic("SELinux: Unable to register with kernel.\n"); 5520 panic("SELinux: Unable to register with kernel.\n");
5526 5521
5527 if (selinux_enforcing) { 5522 if (selinux_enforcing)
5528 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5523 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5529 } else { 5524 else
5530 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5525 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5531 }
5532 5526
5533#ifdef CONFIG_KEYS 5527#ifdef CONFIG_KEYS
5534 /* Add security information to initial keyrings */ 5528 /* Add security information to initial keyrings */
@@ -5553,8 +5547,8 @@ next_sb:
5553 if (!list_empty(&superblock_security_head)) { 5547 if (!list_empty(&superblock_security_head)) {
5554 struct superblock_security_struct *sbsec = 5548 struct superblock_security_struct *sbsec =
5555 list_entry(superblock_security_head.next, 5549 list_entry(superblock_security_head.next,
5556 struct superblock_security_struct, 5550 struct superblock_security_struct,
5557 list); 5551 list);
5558 struct super_block *sb = sbsec->sb; 5552 struct super_block *sb = sbsec->sb;
5559 sb->s_count++; 5553 sb->s_count++;
5560 spin_unlock(&sb_security_lock); 5554 spin_unlock(&sb_security_lock);
@@ -5673,10 +5667,11 @@ static void selinux_nf_ip_exit(void)
5673#endif /* CONFIG_NETFILTER */ 5667#endif /* CONFIG_NETFILTER */
5674 5668
5675#ifdef CONFIG_SECURITY_SELINUX_DISABLE 5669#ifdef CONFIG_SECURITY_SELINUX_DISABLE
5670static int selinux_disabled;
5671
5676int selinux_disable(void) 5672int selinux_disable(void)
5677{ 5673{
5678 extern void exit_sel_fs(void); 5674 extern void exit_sel_fs(void);
5679 static int selinux_disabled = 0;
5680 5675
5681 if (ss_initialized) { 5676 if (ss_initialized) {
5682 /* Not permitted after initial policy load. */ 5677 /* Not permitted after initial policy load. */
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-07 18:43:38 -0500